Corrupted Ukrainian accountancy software ‘MEDoc’ is suspected to be the medium of a cyberattack on companies ranging from British ad agency WPP to Tasmanian Cadbury’s factory, with many European and American firms reporting disruption to services. Banks in Ukraine, Russian oil giant Rosneft, shipping giant Maersk, a Rotterdam port operator, Dutch global parcel service TNT and US law firm DLA Piper were among those suffering inabilities to process orders or else general computer shutdowns.

Heralded as “a recent dangerous trend” by Microsoft, this attack comes just 6 weeks after the WannaCry attack primarily affecting NHS hospitals. Both attacks appear to make use of a Windows vulnerability called ‘Eternal Blue,’ thought to have been discovered by the NSA and leaked online – although the NSA has not confirmed this. The NSA’s possible use of this vulnerability, which has served to create a model for cyber-attacks for political and criminal hackers, has been described by security experts as “a nightmare scenario.”

A BBC report suggests that given 80% of all instances of this malware were in Ukraine, and that the provided email address for the ‘ransom’ closed down quickly, the attack could be politically motivated at Ukraine or those who do business in Ukraine. Recent announcements suggest it could be related to data not money.

The malware appears to have been channelled through the automatic update system, according to security experts including the malware expert credited with ending the WannaCry attack, Marcus Hutchins. The MEDoc software would have originally begun this process legitimately, but at some point the update system released the malware into numerous companies’ computer systems.

In a blog published at the end of last week, the tech firm Google have confirmed that they will stop scanning Gmail users’ emails for the sake of accruing data to be used in personalised adverts, by the end of the year. This will put the consumer version of Gmail in line with the business edition.

Google had advertised their Gmail service by offering 1GB of ‘free’ webmail storage. However, it transpired that Google was paying for this offer by running these scans.

This recent change in tactic has been met with ‘qualified’ welcome by privacy campaigners. Executive director Dr Gus Hosein of Privacy International, the British charity who have been campaigning for regulators to intervene since they discovered the scans, stated:

When they first came up with the dangerous idea of monetising the content of our communications, Privacy International warned Google against setting the precedent of breaking the confidentiality of messages for the sake of additional income. […] Of course they can now take this decision after they have consolidated their position in the marketplace as the aggregator of nearly all the data on internet usage, aside from the other giant, Facebook.

Google faced a fairly substantial backlash on account of these scans when they were discovered, notably from Microsoft, with their series of critical ‘Gmail man’ adverts, depicting a man searching through people’s messages.

However, digital rights watchdog Big Brother Watch celebrated Google’s move, describing it as “absolutely a step in the right direction, let’s hope it encourages others to follow suit.”

UK Conservative Party under investigation for breaching data protection and election law

A Channel 4 News undercover investigation has provoked ‘serious allegations’ of data protection and election offences against the Conservative Party.

The investigation uncovered the party’s use of a market research firm based in Neath, South Wales, to make thousands of cold calls to voters in marginal seats ahead of the election this month. Call centre staff followed a ‘market research’ script, but under scrutiny this script appears to canvass for specific local Conservative candidates – in a severe breach of election law.

Despite the information commissioner Elizabeth Denham’s written warnings to all major parties before the election began, reminding them of data protection law and the illegality of such telecommunications, the Conservatives operated a fake market research company. This constitutes a breach separate to election law, and mandates the Information Commissioner’s Office to investigate.

The ICO’s statement on 23rd June reads,

The investigation has uncovered what appear to be underhand and potentially unlawful practices at the centre, in calls made on behalf of the Conservative Party. These allegations include:

Misleading calls claiming to be from an ‘independent market research company’ which does not apparently exist

MyHome Installations Ltd fined £50,000 for nuisance calls

Facing somewhat less public scrutiny and condemnation than the Conservative Party, Maidstone domestic security firm MyHome Installations has been issued a £50,000 fine by the ICO for making nuisance calls.

The people who received these calls had explicitly opted out of telephone marketing by registering their numbers with the Telephone Preference Service (TPS), the “UK’s official opt-out of telephone marketing.”

The ICO received 169 complaints from members of the public who’d received unwanted calls about electrical surveys and home security from MyHome Installations Ltd.

It’s the weekend before Christmas. Have you done all your Christmas shopping? If you’re shopping online, this is the last weekend you can really do your online shopping and still get everything delivered on time.

Now you may be bored of hearing it but please be careful, look after your passwords, change them regularly, don’t have devices store your information! Lets start the year without a stranger stealing money from your credit cards and bank accounts!

Yahoo…Again

This week brings us the news that Yahoo had announced a hack from 2013 – a separate breach to the 500,000 hacked records announced in September.

Yahoo was investigating the 2014 breach when it uncovered the earlier hack – this time discovering that a billions accounts had been compromised.

The reputational damage to Yahoo is enormous – a clear pattern of poor security is emerging and if I had an account with Yahoo, I’d be considering changing my provider immediately. Having said that, though, how can we be certain that other companies haven’t had similar breaches and we just don’t know about them yet?

The ICO’s deputy commissioner, Simon Entwisle has released a statement saying that they are talking to Yahoo and will try to find out how many UK users have been affected by the latest hack. Their immediate advice is to recommend strongly that customers change their passwords if they haven’t already.

TalkTalkAn update on the huge TalkTalk hack has been released. One of the hackers, a 17 year old, has admitted to 7 offences relating to the hack and has been given a 12-month rehabilitation order and an £85 fine. He was told his excellent computer skills need to be used for the good. 19-year old Daniel Kelley also pleaded guilty. He has been told that a jail sentence is inevitable, and has been released on bail prior to sentencing in March.

UberUber has come under fire after an ex-worker claimed that staff could track fares of celebrities, politicians and even ex-partners. If that’s true, it’s lucky for me I’ve only ever used it in Australia where no exes live and unfortunately I’m not yet a celeb!

Uber released a statement to the Standard stating that the claims made by Mr Spangenberg are “absolutely not true … we have hundreds of security and privacy experts working round the clock to protect our data … all potential violations are quickly and thoroughly investigated.” Uber also makes it clear that access to personal data is limited to approved workers who may only access the data they need in order to perform their job function.

Lionhead Studio just as bad as ‘Trolls”?It has been released this week at a BAFTA event that a teenager targeted Sam van Tilburgh and his team, back in 2003, when they were creating the game Fable. The teen released a screen shot of the hero stabbing a child in the head – something no one was expecting to see.

Rather than go through official routes, Tilburgh and team decided adopt an unconventional aporiach. They were able to track the boy’s IP address and let care the teenager. They then ‘acquired’ some of his school work from and published a part of it, with a demand that he stop or they would publish more and tell be his family what he was up to. He did indeed stop.

Tilburgh said Lionhead’s legal team knew nothing of the retaliating hack, and it has taken 13 years for the story to surface! I wonder if there’ll be repercussions.

The National Lottery hit with fineSo it wasn’t so long ago we heard that hackers had attacked The National Lottery (TNL). Today we hear TNL’s operator Camelot has been issued with a fine of £3m because of a fraudulent payout back in 2009. How this happened has not yet been announced but it sounds as if a ‘deliberately damaged ticket’ was to blame. The prize fund payout is suspected to be around £2.5m but the actual figure has not yet been officially released.

I, for one will continue to buy my lottery tickets. Although The National Lottery has come under fire recently, it has fuelled a whopping £36 billion into good causes such as sports, community and heritage projects. Also imagine if you won.. (legitimately)

Another day … another hack. Such events are inescapably becoming almost daily news. The endless catalogue of everyday cyber crime, ranging from hacking, ransom attacks, bullying, breaches, theft and fraud, simply underlines that any crime that can be committed in our physical world can – and is – equally being perpetrated in cyber space.

Given that such attacks and breaches are making the headlines almost daily, it baffles me that companies and customers (that’s us by the way) don’t make a greater effort to protect themselves.

Camelot, The National Lottery’s operator, discovered this latest breach on Sunday and went public on Wednesday morning. Camelot says that only 26,500 of the 9.5 million registered user accounts were compromised, and that there has only been activity on just under 50 of the infiltrated accounts. They have confirmed that no money has been removed or added to any of these accounts and that the National Lottery does not hold full debit card or bank account details. The Information Commissioner’s Office says it has launched an investigation.

Camelot insists that the reason for the compromised accounts is because users have been operating the same password for multiple websites. (Sound familiar? Last week’s Deliveroo breach comes to mind).

Quite properly when we hear of a data breach we turn the spotlight onto the companies that we deal with, who are in charge of protecting our information. But it would be no bad thing for us to point the spotlight at ourselves as the other half of the equation. As consumers, we have to take responsibility too.

We have all repeatedly been advised – and frankly, must surely know by now – it is vital that a different password is used for every website. For as long as we fail to take this basic precaution, these breaches will be possible. It would seem that we’re no or slow learners.

I don’t know about you, but I have more accounts than I care to think about. A password including capital letters, symbols and numbers is difficult enough to remember for just one account. However with hacks happening more and more frequently it’s made me pull up my socks and change all of my passwords.

I choose not to have my phone or computer store my passwords, because if either device is stolen (or lost) someone will have all my information in the palm of their hand.

It’s time we all realised how vitally important it is to have safe and secure and different passwords for every account we have, especially when cyber criminals are getting wiser and more sophisticated by the minute. A password is a key. So using just one password to access all your websites means that you are effectively handing criminals the master key to all your online activity.

Hint – A password with 12 characters including a few bits and pieces can take over 2 centuries to crack … that’s the one for me!